Re: If I am paranoid, should I do it?
From: Richard E. Silverman (slade@shore.net)Date: 12/19/01
- Previous message: Mr.Pink: "Re: A Challenge"
- In reply to: Marcus: "Re: If I am paranoid, should I do it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: slade@shore.net (Richard E. Silverman) Date: 19 Dec 2001 04:28:51 -0500
>>>>> "Marcus" == Marcus <talos@algonet.se> writes:
Marcus> I must disagree with the previous two postings... I am also
Marcus> very paranoid and I say (in this case), If you have CPU power,
Marcus> use it to strenghten security... If decreesing the time would
Marcus> as someone mentioned probably make it harder to break in to
Marcus> your system then do.
Decreasing the regen interval will not make it "harder to break into your
system." It's not feasible to break a server key by brute force within
the default interval of an hour. An attacker would have to break into the
SSH server machine *by separate means*, manage to extract the server key
from the memory space of the running sshd -- and even then he could only
use it to decrypt current SSH sessions, recorded since their beginning and
started within the lifetime of that server key.
The forward secrecy provided by the server key is about protecting
recorded sessions from later decryption, not about host security. A
decrypted session might reveal something that affects host security, like
a typed password -- but your security would already have been seriously
breached in order to obtain it in this way.
-- Richard Silverman slade@shore.net
- Next message: Kevin McMahon: "Re: PPP over SSH"
- Previous message: Mr.Pink: "Re: A Challenge"
- In reply to: Marcus: "Re: If I am paranoid, should I do it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
